White PaperCOBIT 5 – An Introduction

The demands on executives and management nowadays are significant to say the least. From the corporate boardrooms of Wall Street, New York, United States of America to the Non-governmental organizations in Johannesburg, South Africa, to the ‘one man band’ aspiring to create an empire from his or her garage in a tiny village in the middle of nowhere. For organizations competing in the modern business environment, it really is survival of the fittest. The legal, regulatory and compliance directives alone place a substantial requirement on any organization, of any type, be it a conglomerate, cash generating profit machine or a charity providing services and support on a not for profit basis. Oil or bananas, manufacturing or supply, media or mining… organizations in any industry vertical are faced with the need to employ some form of governance and management to ensure the effective and efficient operation of their organizations, create value for stakeholders, and meet their needs on a sustainable basis.

But besides the functional and ‘corporate’ governance and management disciplines, there is another enterprise dimension, an integrated thread running through almost every modern day organization – information technology. Enterprise information technology (IT) is today, arguably, the most critical component of businesses in the 21st century, empowering and enabling organizations around the globe. Enterprise IT is woven into the very fabric of organizations, strategic, tactical and operational and has now in its own right earned a ‘seat at the table’ along with the core operations of business. In fact, IT not only helps organizations to achieve

Michael Lane

WP0157 | July 2014

Mike is a respected technology

professional with nearly 20 years

experience, having held senior manager

positions in Information Technology,

Communications and Consulting.

Over his career he has managed a vast

number of Telecoms, IT, Business and

Consulting projects and programmes,

and the associated global cross functional

teams, with a strong track record of

results. Mike is a specialist in many

aspects of information technology,

including infrastructure, architecture,

systems development, business

processes, service management, policies

and standards, leadership, governance

and management.

Access our free, extensive lirary at www.orbussoftware.com/community

© Orbus Software 20142

their goals and objectives, but plays an ever increasing essential role in setting the strategic direction of enterprises.

So you can understand that with information technology having become so important, effective governance and management of this Enterprise IT is critical to the success of organizations today. Forming part of the overall enterprise governance and management of organizations, the governance and management of Enterprise IT needs a sound, structured framework to assure organizations are doing the right things, and doing them right when it comes to information technology. Many an IT Executive and Manager has despaired at the very thought of taking on the governance and management of their organization’s investment and future in information technology, but they need not have, help is well and truly at hand.

Despite its incredible global reach and growing prevalence, there are still many out there who know little or nothing about COBIT 5 – the business framework for the governance and management of Enterprise IT. If you are one of these people keep reading and you will find yourself going from being in the dark, to seeing the governance and management of information technology in your organization in a whole new light. Welcome to COBIT 5!

The Basics of COBIT 5History of COBIT

COBIT, at origination, was an abbreviation for Control Objectives for Information and related Technology. Nowadays it is simply known as COBIT. Originally conceptualized with a focus on Auditing in the area of Information Technology in 1996, its scope has evolved over the years moving through foci of Control Objectives, Management Guidelines, and IT Governance to current day, where, in its latest release, COBIT 5 of 2012, the scope and focus is on holistic Governance and Management of Enterprise IT. This most recent edition provides for an end-to-end business view of the governance of enterprise IT that reflects the central role of information and technology in creating value for enterprises.

Figure 1 (COBIT® 5, © 2012 ISACA® All rights reserved)

© Orbus Software 20143

According to ISACA, “COBIT 5 provides a comprehensive, holistic framework that helps enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.” (ISACA 2012, 5)

COBIT 5 builds and expands on COBIT 4.1 by integrating other major frameworks, standards and resources, including ISACA’s Val IT and Risk IT, Information Technology Infrastructure Library (ITIL®) and related standards from the International Organization for Standardization (ISO) like ISO 38500:2008 Corporate Governance of IT. COBIT 5 also aligns itself at a high level with existing frameworks such as TOGAF®, PMBOK® and PRINCE 2® which makes it an umbrella for governance and management.

Governance and Management

The official definition is –

“A Business Framework for the Governance and Management of Enterprise IT.” (ISACA 2012)

When forming an understanding of COBIT 5, it is useful to understand what the words Governance and Management mean, and then specifically, their meaning in the context of information technology.

Management

“Manage” comes from the Italian maneggiare (to handle, especially tools), which derives from the Latin word manus (hand)

(http://www.whatishumanresource.com/what-is-management)

“Management in business and organizations is the function that coordinates the efforts of people to accomplish goals and objectives using available resources efficiently and effectively. Management

Figure 2 (COBIT® 5, © 2012 ISACA® All rights reserved)

© Orbus Software 20144

comprises planning, organizing, staffing, leading or directing, and controlling an organization or initiative to accomplish a goal.”

(http://www.bbiafrica.com/business-management.html)

Governance

“Governance” is derived from the Greek verb kubernáo meaning “to steer”.

(http://www.itgi.org/About-Governance-of-Enterprise-IT.html)

“Governance refers to all processes of governing, whether undertaken by a government, market or network, whether over a family, tribe, formal or informal organization or territory and whether through laws, norms, power or language”

(http://www.sciencedaily.com/articles/g/governance.htm)

But what is Governance and Management in the domain of information technology? Let’s consider the below definitions from Gartner -

Gartner IT Governance Definition:

- IT governance (ITG) is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. IT demand governance (ITDG—what IT should work on) is the process by which organizations ensure the effective evaluation, selection, prioritization, and funding of competing IT investments; oversee their implementation; and extract (measurable) business benefits. ITDG is a business investment decision-making and oversight process, and it is a business management responsibility. IT supply-side governance (ITSG—how IT should do what it does) is concerned with ensuring that the IT organization operates in an effective, efficient and compliant fashion, and it is primarily a CIO responsibility

(http://www.gartner.com/it-glossary/it-governance)

Gartner IT Management Definition:

- IT management services provide day-to-day management and operation of IT assets and processes. As such, they represent the core value components of ITO*. IT management services are divided into three key sub-segments: operations services (for IT infrastructure), application management services and help desk management services. * IT operations as the people and management processes associated with IT service management to deliver the right set of services at the right quality and at competitive costs for customers

(http://www.gartner.com/it-glossary/it-management)

(http://www.gartner.com/it-glossary/it-operations)

© Orbus Software 20145

Bearing the definition from Gartner in mind and with the emphasis placed firmly on Governance in COBIT 5, it is important to look at how the IT Governance Institute (ITGI) defines Governance:

- The responsibility of executives and the board of directors; consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives

[IT Governance Institute (ITGI)]

Business needs are the inputs and drivers for every Enterprise and without Governance and Management in place, an organizations probability of meeting its strategies and objectives would be significantly reduced. Let’s now take a closer look at these two critical domains within the COBIT 5 framework.

IT Governance is an integral part of the overall corporate or organizational governance of the business. The design and operation of the Enterprise IT environment is therefore a critical component, requiring sound governance to ensure that it enables and empowers the organization to realize its objectives.

In COBIT 5, the governance domain ensures that enterprise and information technology objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives.

IT Management forms an integral part of the strategic management of the Enterprise, which is responsible for setting long term organizational goals, and translating these into tactical and short-term goals and objectives.

In COBIT 5, the management domain plans, builds, runs and monitors activities in alignment with the direction set by the governance body

Figure 3 (COBIT® 5, © 2012 ISACA® All rights reserved)

© Orbus Software 20146

to achieve the enterprise and information technology objectives. The responsibility areas of plan, build, run and monitor each have their own focus:

• Align, Plan and Organize (APO) – focus on the use of information and technology and how best it can be used to achieve a company’s goals and objectives.

• Build, Acquire and Implement (BAI) – focus on identifying IT requirements, acquiring the technology, and implementing IT within the company’s current business processes.

• Deliver, Service and Support (DSS) – focus on the delivery aspects of the information technology.

• Monitor, Evaluate and Assess (MEA) – focus on a company’s strategy in assessing the needs of the company and whether or not the current Enterprise IT meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements.

But having Governance and Management domains and sub-domains is not in itself all-encompassing, there is much more to the COBIT 5 framework. The framework is extensive and comprehensive, and includes Governance of Enterprise IT (GEIT), Principles, Enablers, Processes, Practices and Activities, Goals and Metrics, Inputs and Outputs, RACI Charts and Process Capability Assessments.

In other words, COBIT 5 is a single, integrated framework of globally accepted principles, practices, analytical tools and models to not only shape the governance and management of enterprise IT in your business, but that optimizes your investment in information and technology for the benefit of all stakeholders.

What COBIT 5 does so efficiently and effectively is define and bring together five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers, five domains and 37 processes that optimizes information and technology investment and use for the benefit of all stakeholders.

Five Principles

Principle 1: Meeting Stakeholder Needs – stakeholders need value to be created by the Enterprise. Value to the stakeholder and the Enterprise means realizing benefits, with optimal risk and cost of resourcing. To meet these expectations, it is essential for an organization to have an enterprise governance objective of value creation.

Principle 2: Covering the Enterprise End-to-end - governance of enterprise IT (GEIT) is an integral part of enterprise governance, and needs to encompass the entire Enterprise end-to-end. The GEIT extends to all functions in the organization, where IT is present, therefore

© Orbus Software 20147

covering the Enterprise integrally and holistically.

Principle 3: Applying a Single Integrated Framework - there are a multitude of standards and frameworks used by enterprises today: COSO; COSO ERM; ISO/IEC 9000; ISO/IEC 31000; ISO/IEC 38500; ITIL, ISO/IEC 27000 series; TOGAF; PMBOK/PRINCE2 and CMMI. COBIT 5 aims to provide a single integrated framework for governance and management of Enterprise IT, spanning all IT activities in the organization and aligned to industry best practices, standards and frameworks

Principle 4: Enabling a Holistic Approach – by identifying enablers across the organization as a whole, COBIT ensures a holistic and effective approach to the governance and management of Enterprise IT. It is these seven Enablers which together empower the Enterprise to achieve its goals.

Principle 5: Separating Governance from Management – governance and management are not one in the same discipline. The purpose, objectives, activities and organizational structure of each is unique and distinct from the other. As such COBIT clearly separates governance from management in its framework.

Seven Enablers

• Principles, policies and frameworks provide practical guidance for day-to-day management and tasks, and inform the required behavior across the organization.

• Processes define how to translate inputs into outputs required by the Enterprise, to perform its organizational tasks and activities

Figure 4 (COBIT® 5, © 2012 ISACA® All rights reserved)

© Orbus Software 20148

in a standardized manner, and to help the achievement of IT and Enterprise goals.

• Organizational structures bring together the other enablers in a form that enables the organization to deliver on its strategies, co-ordinate and manage its resources, and facilitate decision making across the Enterprise

• Culture, ethics and behavior of the organizations employees, and the entity itself, are critical success factors for the sustainable governance and management of Enterprise IT and the creation of value.

• Information is often referred to as the lifeblood of the organization, running through all its veins, and essential for the effective and efficient operation, management and governance of the Enterprise.

• Services, infrastructure and applications provide the layers of technology and information required by the Enterprise

• People, skills and competencies are vital in every Enterprise, providing the human capital required to produce the Enterprise’s products/services, make effective decisions and taking any corrective actions necessary

Process Reference Model

There are 37 process within the COBIT 5 framework, spread across the Governance domain (5 processes) and Management domain (32 processes), covering everything required for governance and management of Enterprise IT. The latter 32 processes of the Management domain can further be broken down across the sub-domains as follows:

- Align Plan and Organize (APO) – 13 processes

- Build Acquire and Implement (BAI) – 10 processes

- Deliver Service and Support (DSS) – 6 processes

- Monitor Evaluate and Assess (MEA) –3 processes

Figure 5 (COBIT® 5, © 2012 ISACA® All rights reserved)

© Orbus Software 20149

To realize the benefits of the COBIT 5 framework, of course, it needs to be implemented in your organization. It’s also important to understand that implementing COBIT 5 is only the beginning, the start of your journey into the governance and management of Enterprise IT in your organization. The emphasis in a COBIT 5 implementation is on a continuous lifecycle.

Implementation

The recommended approach for the implementation of COBIT 5 is via a seven phase implementation lifecycle. Each phase contains Programme Management, Change Enablement and Continuous Improvement components which ensure the implementation programme is managed effectively, behavioral and cultural aspects are addressed and that it is not a once-off initiative.

Figure 6 (COBIT® 5, © 2012 ISACA® All rights reserved)

Figure 7 (COBIT® 5, © 2012 ISACA® All rights reserved)

© Orbus Software 201410

The implementation lifecycle moves through seven phases from when the need to act is recognized, the desire to change established and programme initiated in Phase 1, all the way to Phase 7 where the effectiveness of the programme and sustainability of the improvements are reviewed, new requirements for governance and management of Enterprise IT identified, and the essentiality of continual improvement reinforced. Then the lifecycle starts all over again.

1. Phase 1 asks What are the drivers?

2. Phase 2 asks Where are we now?

3. Phase 3 asks Where do we want to be?

4. Phase 4 asks What needs to be done?

5. Phase 5 asks How do we get there?

6. Phase 6 asks Did we get there?

7. Phase 7 asks How do we keep the momentum going?

The Seven Phases and the three components within each phase provide an integrated, cohesive and comprehensive implementation lifecycle.

Benefits

The COBIT 5 framework, focused on governance and management of Enterprise IT, is today helping organizations around the world to realize significant benefits. Some of these benefits include the ability to:

- Provide quality information for effective enterprise decision making

- Govern and manage Information

- Maximize trust in and value from Information and Technology systems and investments, for internal and external stakeholders

- Maintain high-quality information to support business decisions

- Achieve strategic goals and realize business benefits through the effective and innovative use of IT

- Achieve operational excellence through reliable, efficient application of technology

- Maintain an acceptable level of IT-related risk

- Optimize the cost of IT services and technology

- Simplify complex standards

- Support compliance with relevant laws, regulations, contractual agreements and policies

© Orbus Software 201411

COBIT 5 Family

The COBIT 5 framework is not an isolated framework, in fact there is actually a COBIT 5 family. This COBIT 5 family contains the COBIT 5 business framework itself, along with a series of Enabler and Professional guides. There is also a new expanded and improved online experience with COBIT 5 online which will unfold through to completion over 2014. And more publications are imminent, like the forthcoming - Controls and Assurance in the Cloud: Using COBIT 5 – due 2nd quarter 2014.

Conclusions

Many refer to the 21st century as the information age. There is no question that information and the technologies which supply and demand it, continue to become exponentially pervasive in everyday life. Both information and information technology have become securely embedded in the strategic management of the modern day organization.

This strategic position has duly warranted a heightened focus on governing and managing all aspects of information technology in the Enterprise. After all, as with any critical asset, tangible or intangible, one would want to be assured that value is being generated, and that costs and risks are optimized. In fact, board and executive stakeholders not only seek this assurance, but demand it, as an essential component of the organization’s enterprise governance and a measure of enterprise performance.

The pressure and challenge of defining and implementing IT governance and management processes has resulted in many organizations falling short when it comes to the governance and management of their enterprise IT. If only they had been fortunate enough to know about COBIT 5 and the COBIT 5 family.

COBIT 5 not only provides a business framework for the governance and management of Enterprise IT, it focuses on reducing risk, optimizing cost

Figure 8 (COBIT® 5, © 2012 ISACA® All rights reserved)

© Copyright 2014 Orbus Software. All rights reserved.

No part of this publication may be reproduced, resold, stored in a retrieval system, or distributed in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the copyright owner.

Such requests for permission or any other comments relating to the material contained in this document may be submitted to: marketing@orbussoftware.com

Orbus Software 3rd Floor 111 Buckingham Palace Road London SW1W 0SR United Kingdom

+44 (0) 870 991 1851 enquiries@orbussoftware.com www.orbussoftware.com

and maximising value and returns from your investments in information technology. It is no surprise that it is arguably the most comprehensive, generally accepted and in use framework focused on governance and management of Enterprise IT globally.

The need for Governance and Management of Enterprise IT is undisputed, and so too should be the choice of framework to use. In COBIT 5 there is a practical and available means to govern and manage information and technology, which can be used by a multitude of stakeholders in any organization anywhere in the world to drive business value and enable the achievement of business goals and objectives. COBIT 5 really is the smart choice for the Governance and Management of your Enterprise IT.

For information further to this introductory paper on COBIT 5, visit www.isaca.org

References

ISACA (2012). A Business Framework for the Governance and Management of Enterprise IT [PDF] Available from: http://www.isaca.org/COBIT/Documents/COBIT5-Ver2-FrameWork.pdf

[Accessed April 2014]

ISACA (2012). COBIT 5 Introduction [PDF] Available from: http://www.isaca.org/COBIT/Documents/An-Introduction.pdf

[Accessed April 2014]

IT Governance Institute IT GOVERNANCE USING COBIT® AND VAL ITTM: TIBO CASE STUDY, 2ND EDITION [PDF] Available from: http://www53.homepage.villanova.edu/james.borden/mac8287/cobit%20case%20study.pdf

[Accessed in March 2014]

http://www.isaca.org/COBIT/Pages/Product-Family.aspx

Bernard, P. (2012) COBIT® - A Management Guide. ©Van Haren Publishing, (2012)